Fundamentals of Information Systems Security Scope & Applicability UOPX Courses - CIS 207 Information Systems Fundamentals - CMGT 244 Intro to IT Security - CMGT 245 IS Security Concepts - CMGT 400 Intro to Information Assurance & Security - CMGT 440 Intro to Information Systems Security - CMGT 441 Intro to Information Systems Security Management - CMGT 430 Enterprise Security - CMGT 442 Information Systems Risk Management
Objectives Review of Concepts. What is (are): - Information Systems? - Information Security? - Information Systems Security? - Information Assurance? - Cyber Security? - Defense in Depth? Significance / Importance of Concepts Advanced Topics in Security Risk Analysis Present & Future Challenges Q&A
Who am I? Information Systems Authorizing Official Representative - United States Pacific Command (USPACOM) - Risk Management Field - Assessments to USPACOM Authorizing Official / CIO
Former Electronics Engineer Bachelor of Science in Electrical Engineering Master of Science in Information Systems Ph.D. Student in Communication & Information Sciences Certified Information Systems Security Professional (CISSP) and Project Management Professional (PMP)
Review of Concepts What are Information Systems? - Systems that store, transmit, and process information. + What is Information Security? - The protection of information. ------------------------------------------------------------------------------- What is Information Systems Security? - The protection of systems that store, transmit, and process information. Review of Concepts What is Information Assurance? - Emphasis on Information Sharing - Establishing and controlling trust - Authorization and Authentication (A&A)
What is Cyber Security? - Protection of information and systems within networks that are connected to the Internet. Review of Concepts Progression of Terminology Computer Security (COMPUSEC) Information Security (INFOSEC) Information Assurance (IA) Cyber Security Legacy Term (no longer used). Legacy Term (still used). Term widely accepted today with focus on Information Sharing. Broad Term quickly being adopted. Review of Concepts What is the Defense in Depth Strategy? - Using layers of defense as protection. People, Technology, and Operations. DATA APPLICATION HOST INTERNAL NETWORK PERIMETER PHYSICAL POLICIES & PROCEDURES Onion Model Review of Concepts Defense in Depth Primary Elements Integrity ISS Availability ISS PEOPLE TECHNOLOGY OPERATIONS P R O T E C T D E T E C T R E A C T Information Security Services INFORMATION SECURITY Confidentiality ISS Information Assurance Services Continuity IAS Physical IAS Cyber IAS Configuration IAS Training IAS Identity A&A IAS Content IAS DiD PDR Paradigm INFORMATION ASSURANCE ISS Management What is a Backup Plan (BP) vs Disaster Recovery Plan (DRP) vs Emergency Response Plan (ERP) vs Business Recovery Plan (BRP) vs Business Impact Analysis (BIA) vs Incident Response Plan (IRP) vs Continuity of Operations Plan (COOP) vs Contingency Plan?
Policy & Planning Test, Audit, Update Configuration Control
Protection, Detection, Reaction (Assessment, CND, Incident Response) Why is this important? Information is valuable. therefore, Information Systems are valuable. etc
Compromise of Information Security Services (C-I-A) have real consequences (loss) - Confidentiality: death, proprietary info, privacy, theft - Integrity: theft, disruption - Availability: productivity lost, C2, defense, emergency services
Why is this important? Fixed Resources Sustainable strategies reduce costs
Time C o s t Incidents PROTECT DETECT REACT Without DiD With DiD Cost Prohibitive/ Threshold Advanced Topics: Measuring Risk What is Risk?
thus
Qualitative v.s. Quantitative Methods Risk Assessments v.s. Risk Analysis Security Risk Analysis (SRA) Units for measurement?
Advanced Topics: Measuring Risk Risk is conditional, NOT independent.
Advanced Topics: Measuring Risk Quantitative, time-dependent (continuous), Risk Distribution Function:
Source: Robbins, P. (Dec, 2011). Security Risk Analysis and Critical Information Systems (Master's Thesis). Hawaii Pacific University, Honolulu, HI.
Advanced Topics: Measuring Risk Expected Value of Risk = Product of Risks
Risk is never zero
Risk Dimension (units): confidence in ISS, C-I-A
Advanced Topics: Measuring Risk Expected Value and Risk Loss Confidence vs Cumulative Risk Product
Advanced Topics: Measuring Risk Risk Areas as a function of Probability and Impact
Present Challenges Rapid growth of Advanced Persistent Threats (APTs) Half million cases of cyber related incidents in 2012. Is this a problem? What about vulnerabilities associated with interconnections?
Source: US-CERT
Future Challenges Cyberspace: Are we at war? Cyber Crime vs Cyber Warfare vs Cyber Conflict
ATTACK Destruction CYBER CONFLICT CYBER WARFARE CYBER CRIME SABOTAGE Disruption ESPIONAGE Spying / Theft of Information Closing Thoughts Information Systems Security (Cyber Security) is an explosive field. - Spanning Commercial, Private and Government Sectors - Demand >> Capacity: Strategies, solutions, workforce - $ - Evolving field (not fully matured)
Security will change our communications landscape - Efficiencies (centralization of services, technology) - Intelligent design of network interconnections and interdependencies - Regulations